Posted
by
kdawson
on Tuesday September 08, 2009 @04:30PM
from the who-needs-a-botnet dept.

Trailrunner7 writes "Today vendors are finally releasing patches for the TCP vulnerabilities first publicized nearly a year ago that affect a huge range of networking products, including any device running a version of Cisco's IOS software, and a number of Microsoft server and desktop operating systems. Both Microsoft and Cisco released fixes for the vulnerabilities today. The Microsoft Patch Tuesday release included the fix for the TCP flaw, which affects Windows Server 2003 and 2008, as well as Windows Vista, both the 32-bit and 64-bit editions, and Windows 2000 SP4, for which no fix is coming. The TCP flaws were identified several years ago and were made public last year by two researchers at Outpost24, Jack C. Louis and Robert E. Lee. Louis, who has since died, developed a tool called Sockstress that tested for the flaw and was able to maintain extremely long-term TCP connections with remote machines using very little bandwidth."

Just think of all the meetings that had to be convened, coffee brewed, dinners expensed discussing the potential impact of these flaws, input from the legal department on the cost of fixing the bug versus potential liability including agreement to the shrinkwrap license that absolves MS of any liability unless a judge someday says otherwise, reading the tea leaves, God the list goes on and on.

Alternatively, just think of what would have happened if either of those giants had released a patch for something as fundamental as the TCP stack that introduced a new bug or worse hole; then automatically pushed it to millions of users. A year might be excessive, but considering the size of their userbases... I can understand it.

Yes, absolutely. TCP is so complicated that only few engineers know precisely how it works and can patch the flaw. And probably it also lacks test tools. OMG. I'm so happy that it took them only a year.

/sarcams

WTF. Get real. TCP is studied and implemented as a lab assignment now in pretty much every university by all who in any way relate to network programming. Test tools and analyzers are abundant (both hardware and software) and can simulate pretty much any kind of load. There are even commercial

WTF. Get real. TCP is studied and implemented as a lab assignment now...

Your point that TCP programming is practiced in abundance is well taken, but my experience has taught me that anything related to network programming in general, and TCP/IP implementations in particular (particularly where interoperability between your product and TCP stacks you've never seen before is concerned) is astoundingly difficult, and that anyone who believes that they've got all the bases covered, that they've foreseen everything that could go wrong, and that they're in the clear because their tests indicates that all their stuff is RFC-compliant will be the first to get their asses kicked hard after they release their product.

True. (Wouldn't lie - I personally implemented in past only about 50% of TCP.)

Nevertheless, it's pretty well known fact that MS took their implementation of TCP from BSD which apparently doesn't have the problem. More than that they took fresh implementation from FreeBSD relatively recently for 2003 Server.

Cisco IIRC also uses FreeBSD TCP implementation.

In other words, I still fail to see the problem: likewise they could have lifted the solution for the problem from the very same source where from

Nevertheless, it's pretty well known fact that MS took their implementation of TCP from BSD which apparently doesn't have the problem. More than that they took fresh implementation from FreeBSD relatively recently for 2003 Server.

STREAMS was always meant to be a temporary solution - it was slow and clunky, but it served as a stopgap while Microsoft worked on their own TCP stack.

Incidentally, when they ported STREAMS, they also ported the command line tools ("ftp", ect)that came with them, which were themselves ports of BSD's command line tools. Since the programs worked, they saw no reason to replace them.

Of course, when the tech press discovered they were ports (via disassembly, IIRC), they went crazy about it, as tech press does.

Nevertheless, it's pretty well known fact that MS took their implementation of TCP from BSD which apparently doesn't have the problem. More than that they took fresh implementation from FreeBSD relatively recently for 2003 Server.

It's also fairly well known that TCP/IP stack was rewritten from scratch in Vista/Win2008, with no BSD code left. So this doesn't seem to be relevant.

If the fix was so easy then the death of Jack Louis wouldn't have hampered the patch process. TFA mentions that even though he was in good contact with others and kept good notes his death caused a big slowdown in finishing the research and patch.

It's always easy to find other peoples bugs and go on about how easy it would be to fix it. It only gets hard when you're coding the bugfix and the obvious solutions aren't fixing the problem.

I'm not going to do all your research for you. About five seconds of Googling yields this Ubuntu page: Ubuntu Security Notice USN-819-1 [ubuntu.com].
Debian's notices shouldn't be that hard to find, either. Of course, you can always just try the proof of concept code on an updated Debian system if you seriously doubt the maintainers.

Debian (and by extension, Ubuntu) do a fine job of producing distributions and keeping them pretty secure. But you've not substantiated your claim that they've implemented their own kernel fix for CVE-2008-4609.

Until I can determine otherwise, I've got to retract my statement that this is fixed in Debian. I can't find any noise on any lists about this particular CVE with respect to Debian. I'll keep watching it, though.

and straightforward reason why these companies dont issue these patches sooner. "we dont have the resources" or "it just isnt hurting our bottom line yet" would be awesome to hear. i mean, if google can come out and do it then it says alot about the old guard if they cant.

Did you read Cisco's list [nether.net] of vulnerable hardware? It certainly takes a long time to test all of your currently supported hardware, test and release updates for all of them, many of which have multiple supported trains of software support that the fix needs to be rolled in to.

Today was a joint release date. That is to say: Everyone agreed that nobody would release their fix(es) until everyone was ready.This was done to ensure that an attacker did not reverse engineer one company's fix, and use the flaw to wreck havoc on another company's products.

And "Everyone" in this case includes more vendors than just Microsoft & Cisco. The firm I work for released our fix(es) for this issue today.

No, because I know that people who are willing to exploit the flaw already know how it works. For a start, you had to tell everyone in all the affected companies how it worked so they could fix it. And they told their sub contractors, who told some guy in India, who put in on his blog.I'd rather reward those that fixed it fast, or told me how to work around it. And if they don't, or can't, I'd rather know about it so I can do something myself.

(1) Because companies have discovered that it's far better for the PC ecosystem to release patches in a coordinated system (such as "Patch Tuesday") that corporations, etc. can plan for than to release everything ASAP

Obviously at the time IOS was designed, everyone would write their own special-purpose operating system for embedded devices. These days, wouldn't it make more sense to just scrap it and switch to Linux? Lots of other manufacturers are doing it (Linksys, Netgear, D-Link, etc.). This would certainly prevent this kind of embarassment.

Obviously at the time IOS was designed, everyone would write their own special-purpose operating system for embedded devices. These days, wouldn't it make more sense to just scrap it and switch to Linux? Lots of other manufacturers are doing it (Linksys, Netgear, D-Link, etc.). This would certainly prevent this kind of embarassment.

Lol. Because Linux hackers are (to a corporation) incomprehensible and unreliable. They have no contract that's broken if they choose NOT to help. History (linux people fix their software pretty much always) != reliability.

So what? Is x Linux hackers + y CISCO employees working on some code worse than y CISCO employees working on some code? If the Linux hackers don't do what you want them to do, fine, fork the code in the worst place. You're no worse off than you were just working on your own.

Thats right, the command goes right there and it runs as root. Thats a nightmare level security issue that CS101 students should be ashamed of, let alone from true hackers.

So imagine if linksys standardized on dd-wrt. Just clicking on http://192.168.1.1/cgi-bin/;rm-r [192.168.1.1] would destroy your router. That link could be be put everywhere on the web and would result in mass chaos.

I think a lot of companies know the quality from even the most popular OSS projects can be highly uneven and hackers are just that: hackers. They hack things together. Good design and security testing is usually an afterthought.

As if 'good design and security testing' always happens at large corporations like Cisco... right. That kind of stuff gets undercut all the time. They take the option of just waiting for the bugs to be found and patch them after the fact.

Linksys is owned by Cisco. Linksys makes devices that do most of what the Cisco boxes do at a fraction of the cost. If they were to switch the Cisco routers to Linux, they would effectively be telling their customers "there is no benefit to buying our high-end boxes over a Linksys router". Actually, the reason they are sticking with IOS is that people have payed and continue to pay thousands of dollars to get Cisco CCNA certification [cisco.com]. Switching to Linux would render all that training obsolete, and mean that

Too bad there isn't a -1 Wrong moderation. A high end Cisco router, and a Linksys consumer router are so fundamentally different that your assertion is laughable on its face. Perhaps the reason they are sticking with IOS is because their hardware and software is purpose built to shift orders of magnitudes more packets per second than LInksys Linux routers would ever be capable of? Watch out for the corporate conspiracy black helicopters though.

"IOS" has been rewritten and released half a dozen times, as NX-OS (which is Linux based), IOS-XR, IOS-XE (also Linux based), Modular IOS, and another major one in the pipeline. They all offer the same basic CLI interface that CCNA holders would be familiar with and instantly able to use.

I'd say IOS isn't just the software that runs their routers and so on, IOS is behind a product portfolio and provides Cisco with a vendor lock-in strategy (for want of a better phrase)...

Firstly, IOS is the operating system but on top of that, they can sell IOS as an individual product (even if it only comes bundled with other ones, it's good material for the marketing department) and they also have the numerous Cisco certifications that revolve around (or heavily involve) the usage of IOS.

Cisco's moving towards Linux. That post is 2 years old, and they've not announced anything hinting that anything BSD will be coming out. I have a feeling they're willing to deal with the GPL (Linux) just so they don't have to adopt BSD years after Juniper did, which could be a little embarassing.

It's like a SYN flood for most products (possible resource exhaustion) though all unpatched Vista derivatives (Vista, Server 2008, Win7, Server 2008 R2) have remote code vulnerabilities. Basically if you are upatched and someone wants to they can fill up the TCP memory on anything of yours that talks to the internet and knock that service or device offline while requiring very little resources on their part.

1st off, I can't duplicate it for Win2k. I'm using Windows 2000 Advanced Server as my testing machine, but that really shouldn't be an issue.2nd off, the release says the worst possible thing that can happen to Win2k is a DoS; the intense hatred microsoft has for people still using Win2k makes me think that they are possible telling an untruth.3rd off, I'd be sort of suspicious when the same thing applies to Win2k3 also; they aren't making money from windows 2003 these days, only the operating systems that

In Microsofts case i read the bulletin as it allows remote code execution in w2k8 and Vista. Thats very unpleasant considering it happens in the TCP/IP level and not higher up. Im no hacker but from what i can understand this exploit allows a hacker to own ANY affected system directly over the internet as long as any port on that target is accessible. I really hope im reading this wrong.

A firewall wont help at all in that case and critical is a very moderate rating indeed. Im very glad we havent upgraded to